Merge pull request #7301 from poettering/loginctl-ellipsize

[thirdparty/systemd.git] / units / systemd-coredump@.service.in

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index f12b28d6a6ba0c8f38e60c3400d8dfbfa14e851f..ef58f0cb3ef5626d4c264f3de5204ad8bef39ebc 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -9,7 +9,6 @@
 Description=Process Core Dump
 Documentation=man:systemd-coredump(8)
 DefaultDependencies=no
-RequiresMountsFor=/var/lib/systemd/coredump
 Conflicts=shutdown.target
 After=systemd-remount-fs.service systemd-journald.socket
 Requires=systemd-journald.socket
@@ -19,9 +18,21 @@ Before=shutdown.target
 ExecStart=-@rootlibexecdir@/systemd-coredump
 Nice=9
 OOMScoreAdjust=500
+RuntimeMaxSec=5min
+PrivateTmp=yes
+PrivateDevices=yes
 PrivateNetwork=yes
 ProtectSystem=strict
-RuntimeMaxSec=5min
-SystemCallArchitectures=native
-ReadWritePaths=/var/lib/systemd/coredump
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
 ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallArchitectures=native
+LockPersonality=yes
+IPAddressDeny=any
+StateDirectory=systemd/coredump